Shellcode Tutorial 9: Generating Shellcode Using Metasploit

Introduction

Metasploit is an open source exploit framework that provides you with heaps of exploits, as well as tools to assist you in creating your own exploits. This includes the ability to generate a large range of shellcodes for different purposes and platforms that can be customised to attack your target.

This tutorial is an introduction into using the Metasploit Framework to generate shellcode.

Our Aim

Initially we will briefly look at the awesome web interface that Metasploit provides and the easiest way to generate shellcode using Metasploit. Using this interface we will generate the following shellcode:

- linux/x86/adduser/bind_tcp

The majority of the tutorial will then focus on the command line interface to Metasploit since these will be used in later tutorials. We will use the command line to generate the following shellcode in different formats including raw, unicode, and as a Windows executable:

To access the Metasploit Web Interface, run the following program that will start "msfweb" on http://127.0.0.1:55555:

- C:\msf3\msfweb.bat

This is demonstrated in the following figure:

To access the shellcode generation feature of the Metasploit Web Interface, click on the "Payloads" button in the top toolbar. You should now be looking at the following screen showing the available payloads that you are able to generate:

Within the search field type "add user" (without the quotes), and you should be presented with a bunch of payloads that can add a user account to a system. We want to select the "Linux Add User" payload by clicking on the payload title.

This will take you to the screen below that allows you to configure the parameters that you want your payload to execute with, including the username to be created, the corresponding password, and the shell that you want to use for this user.

Some of the more relatively advanced options include any characters that your exploit cannot include, such as a null character since it terminates strings and often prevents your exploit from working. The encoder option allows you to encode your payload so that it adheres to requirements of your exploit, such as having no upper-case letters in case the system you are exploiting converts the payload to lower-case prior to the vulnerability being exploited.

Then lastly is the format option that allows you to format the resulting shellcode for use in different programming languages.

Different payloads will present you with different options within this screen. For example, if you are using a connectback payload then you will need to specify the IP address of the attacker's machine so that the shellcode can connect back to you.

We will use the defaults for this example, as shown below:

If you now hit the generate button, Metasploit will generate the shellcode using the parameters that you specified. This should look similar to the following:

You are then able to copy this shellcode into an exploit for the specified platform. Since the default format was "C" then this would be used in an exploit programmed in C. If we had an exploit written in perl or ruby, etc, then we would generate the shellcode for use in that programming language.

This tutorial will show an example of inserting the generated shellcode into an exploit towards the end.

It should be noted that the web interface of Metasploit may cause some characters to not be present within the generated shellcode causing it to fail. Therefore, the best way to generate shellcode via Metasploit is via the command line using the msfpayload command.

Generating OSX shellcode using the Metasploit "msfpayload" command

Initially we want to launch a bash shell that is provided within the Metasploit installation. This can be done by running the following executable:

C:\msf3\shell.bat

If you now run "msfpayload" (without any options) it will display all of the different types of shellcode that Metasploit can generate.

The first payload that we want to generate is the OSX PPC Reverse TCP Shell, which is referred to as the following in Metasploit:

- osx/ppc/shell_reverse_tcp

The following is the format of options that the msfpayload command accepts:

Based on these options, we now know the payload name that we want, but don't know the variables that we need to set for this payload. This can be enumerated by using the "S" (Summary) option of msfpayload, as shown below:

We can see that we can customise the LHOST and LPORT variables. The next option is the output type. For this example we are going to stick with "C" (C programming language). Therefore, execute the following command to generate our shellcode:

Generating shellcode via Metasploit is platform independant, so there is no difference in the process detailed above. To prove this we will step through generating the following payload:

- solaris/x86/shell_find_port

This type of payload is commonly known as "Connection Reuse" or "Find Port" shellcode. This shellcode technique is handy when attempting to exploit a host behind a firewall that has its inbound and outbound rules locked down so that no inbound closed ports or outbound open ports are available. This setup prevents an attacker from using a Port Bind or Connectback payload since they will be blocked by the firewall.

This payload works by the attacker setting the source port of their connection to a predefined value. The shellcode then searches the established connections on the compromised host for one with the hardcoded source port. Once it finds a connection with this source port it reuses the already established connection to point the attacker through to a shell.

The downfall of this type of shellcode is when the firewall is using NAT to the host since the firewall will terminate the attacker's connection at the firewall, and create a new connection from the firewall to the host with a new source port. Similarly if the connection traverses a proxy, a new connection is made between the target and the proxy. When the shellcode searches for the attacker's source port, it won't find it and the shellcode fails. For this reason, Metasploit has a different payload called "find_tag" which places a predefined "tag" on the established connection. This payload searches the established connections for the tag and is able to identify the relevant connection.

So after that little speal, the first thing we want to do is determine the options required for this payload using the following command:

In this case the only variable used is CPORT, which has a default value. We will specify it anyway on the command line.

These days a lot of client-side vulnerabilities are coming out in software such as Internet Explorer, Adobe Reader, Microsoft Office, etc. Often these vulnerabilities are exploited by injecting the exploit and shellcode into a malicious HTML page. Since most shellcode contains binary data then it can't be inserted directly into a webpage. In this case it needs to be encoded using Unicode Encoding so that it can be placed into a JavaScript function and decoded using the unescape() function. Of course Metasploit provides the JavaScript (or J) option within msfpayload to automatically encode the shellcode with Unicode encoding. This results in the following command:

We simply copy our generated shellcode into the "insertpayloadhere" section of the exploit. Often you will find that an exploit will already contain some shellcode, such as a generic portbind payload. Again, you just simply replace it with your own shellcode to customise the exploit to your target environment. The resulting exploit snippet is shown below:

Generating shellcode as a Windows executable using the Metasploit "msfpayload" command.

Metasploit provides the functionality to output the generated payload as a Windows executable. This is useful for testing that the generated shellcode actually does what you expect, as well as for sending the executable to the victim say via email, HTTP, or even via a "Download and Execute" payload.

A Download and Execute payload is useful when an exploit only has a small buffer where the shellcode can be inserted. This can dramatically restrict which payloads you can use within the exploit. You may be limited to using staged shellcode, where an initial small payload is inserted into the exploit and is designed to then download the larger second stage payload to extend the functionality of the shellcode. Another option is to use a Download and Execute payload where the initial small payload is simply designed to download an executable from the attacker's web server and execute it on the system. This provides a much more feature rich backdoor on the system. The main issue with downloading an executable onto the victim's system is that it is likely to be captured by Anti-Virus - if the victim has it installed.

To demonstrate the Windows executable generation within Metasploit we are going to use the "windows/exec" payload. We therefore initially need to determine the options that we must provide for this payload, as we have done previously using the Summary (S) option:

We can see that the only option we need to specify is the "CMD" option. We are simply going to execute "calc.exe" so that we can test it on our own systems. To generate a Windows executable using Metasploit we also need to specify the X output option. This will display the executable to the screen, so we need to pipe it to a file which we will call pscalc.exe, as shown below.